Appendix C Using Active Directory as the User Data Store

This appendix describes how to use Microsoft Active Directory as the user data store for Access Manager 7.1. First review the Overview of Using Active Directory as the User Data Store and check the Requirements to Use Active Directory as the User Data Store. Then follow the steps in these sections:

• Configuring Active Directory With Access Manager Schema Files

• Configuring an Access Manager Identity Repository LDAPv3 Data Store For Active Directory

Overview of Using Active Directory as the User Data Store

By default, Access Manager 7.1 defines a set of object classes and attributes. These object classes and attributes are required in your Active Directory server if you want Access Manager to manage your Active Directory server.

The Access Manager Console provides user management functionality based on the Access Manager's predefined set of object classes and attributes, as specified through the Access Manager XML files. If the Active Directory server you are trying to access does not have these required object classes or the attributes defined, access involving the missing object class or attributes will fail, unless you change the user XML files to match the attributes defined for your Active Directory server.

For example, when you create a user via the Access Manager Console, the Console writes out to the Active Directory server the predefined set of Access Manager object classes and attributes for the user. If the Active Directory server is not configured with the same set of user object classes and attributes, the user create operation will fail. When you use the Console's user information page to edit a user's information, unless the Active Directory server has the same set of attributes and/or object classes defined for the user as Access Manager does, the operation will fail.

The Access Manager 7.1 Identity Repository (IdRepo) LDAPv3 plug-in provides attribute name mapping. You can refer to an attribute name as one name in Access Manager and a different name in your Active Directory server. As a result, you need not have all Access Manager attributes defined in Active Directory if you use attribute name mapping. However, if Access Manager has more attributes than you have in your Active Directory server, you cannot do one-to-one mapping, and some Access Manager read or write operations will fail due to missing attributes in the Active Directory server.

Requirements to Use Active Directory as the User Data Store

To use Active Directory as the user data store, your deployment must meet these requirements:

• Access Manager 7.1 requires patch 1 for your specific platform. For information about patch 1, see Access Manager 7.1 Patch Releases in Sun Java System Access Manager 7.1 Release Notes.

• Active Directory must be running on Windows Server 2003 with “Windows Server 2003 forest functional level” enabled. For more information, see:

  http://support.microsoft.com/?id=322692#4

Configuring Active Directory With Access Manager Schema Files

The Access Manager 7.1 Identity Repository (IdRepo) LDAPv3 plug-in must be able to assign the service's object class name to the user's object class attribute, so it can tell if a user has been assigned a given service. The following procedure describes how to load the Access Manager schema files into Active Directory and then to configure Access Manager to enable the Access Manager services.

To Configure Active Directory with Access Manager Schema Files

1. Make sure that Active Directory has “Windows Server 2003 forest functional level” enabled.

2. Edit the am_remote_ad_schema.ldif file by replacing @ROOT_SUFFIX@ with the actual root suffix of your Active Directory installation.

   After you have installed Access Manager 7.1 patch 1, this file is available in the following directory, depending on your platform:

   • Solaris systems: /etc/opt/SUNWam/config/ldif

   • Linux systems: /etc/opt/sun/identity/config/ldif

   • Windows systems: C:\Program Files\Sun\JavaES5\identity\config\ldif

3. Using Active Directory tools (or another tool of your choice), load the am_remote_ad_schema.ldif file from the previous step into Active Directory.

4. In the Access Manager Administration Console:

   • Under Attribute Name Mapping, remove iplanet-am-user-alias-list=objectGUID and portalAddress=sAMAccountName.

   • In the datastore configuration page's LDAP User Attributes field, add the attribute names defined in the above LDIF files.

5. If you are writing your own service with dynamic user attributes, the service.ldif file for Active Directory must NOT have the following lines:

   dn: CN=User,CN=Schema,CN=Configuration,ROOT_SUFFIX
   changetype: modify
   add: auxiliaryClass
   auxiliaryClass: yourClassname
   

   Otherwise, Access Manager will not be able to assign the service's object class name to the user's object class attribute.

Configuring an Access Manager Identity Repository LDAPv3 Data Store For Active Directory

Using an example, this section shows how you can configure an Access Manager 7.1 Identity Repository (IdRepo) LDAPv3 data store to point a freshly installed Active Directory, including:

• Configuration Example

• Operational Notes

• Configuring an Authentication Module to Login Through Active Directory

Configuration Example

The following configuration example assumes:

• You have a freshly installed Active Directory.

• You have not made any changes to the Access Manager 7.1 patch 1 schema, attributes, or XML files.

---

Note –

This section shows an example. Some additional modifications might be required for your actual environment.

---

In the Access Manager Administration Console, set the following Active Directory attributes. For information about an attribute, refer to the Console online Help.

Primary LDAP Server: Active Directory server name and port number that you want to connect to. For example: myADServer.example.com:389

LDAP Bind DN: CN=Administrator,CN=Users,DC=example,DC=com

LDAP Bind Password: Password for CN=Administrator,CN=Users,DC=example,dc=com

LDAP Organization DN: DC=example,DC=com — Organization DN that this datastore will map to. This will be the base DN of all operations performed in this data store.

Enable LDAP SSL: Select if the Active Directory server is in SSL mode.

LDAP Connection Pool Minimum Size: Initial number of connections in the connection pool. The use of connection pool avoids having to create a new connection each time.

LDAP Connection Pool Maximum Size: Maximum number of connections allowed.

Maximum Results Returned from Search: Maximum number of search results to return. This value should be based on the size of your LDAP organization. The maximum number returned cannot exceed the ns size limit configured for the Active Directory server.

Search Timeout: Maximum time in seconds to wait for results on a search operation.

LDAP Follows Referral: Option specifying whether or not referrals to other LDAP servers are followed automatically.

LDAPv3 Repository Plugin Class Name: Where to find the class file that implements the LDAPv3 repository.

Attribute Name Mapping: Allows for common attributes known to the framework to be mapped to the native data store. Map the attributes as follows:

• mail=userPrincipalName

• iplanet-am-user-alias-list=objectGUID

• employeeNumber=distinguishedName

• uid=sAMAccountName

• portalAddress=sAMAccountName

• telephonenumber=displayName

LDAPv3 Plugin Supported Types and Operations: No change is needed.

LDAP Users Search Attribute: cn — Naming attribute of user.

LDAP Users Search Filter: (objectclass=person)

LDAP User Object Class: Object classes for user. When a user is created, this list of user object classes will be added to the user's attributes list. Therefore, it is important that the object classes you entered here actually exist in the Active Directory server; otherwise, you will get an object class violation (error=65).

Enter the following object classes (names are not case sensitive):

• top

• person

• organizationalPerson

• user

LDAP User Attributes: Definitive list of attributes associated with a user. If an attribute is not on this list, it will not be sent or read. Therefore, if there is any possibility that the user entry can contain this attribute, you should list it here. Or, if the attribute is not defined in the Active Directory server, you should not enter it here; otherwise, you will get an error when Access Manager tries to write this attribute to Active Directory. Enter the following attributes (names are not case sensitive):

• cn, description, displayName, distinguishedName, dn, employeeNumber, givenName, mail, manager, memberOf, name, objectClass, objectGUID, postalAddress, sAMAccountName, sAMAccountType, sn, streetAddress, telephoneNumber, userAccountControl, userpassword, userPrincipalname

• iplanet-am-auth-configuration, iplanet-am-auth-login-success-url, iplanet-am-auth-login-failure-url, iplanet-am-auth-post-login-process-class

• iplanet-am-session-add-session-listener-on-all-sessions, iplanet-am-session-get-valid-sessions, iplanet-am-session-destroy-sessions, iplanet-am-session-max-caching-time, iplanet-am-session-max-idle-time, iplanet-am-session-max-session-time, iplanet-am-session-quota-limit, iplanet-am-session-service-status

• iplanet-am-user-auth-modules, iplanet-am-user-login-status, iplanet-am-user-admin-start-dn, iplanet-am-user-auth-config, iplanet-am-user-alias-list, iplanet-am-user-success-url, iplanet-am-user-failure-url, iplanet-am-user-password-reset-options

• iplanet-am-user-password-reset-question-answer, iplanet-am-user-password-reset-force-reset, sunIdentityServerDiscoEntries, iplanet-am-user-federation-info-key, iplanet-am-user-federation-info sunIdentityMSISDNNumber

• iplanet-am-user-admin-start-dn, iplanet-am-user-account-life, iplanet-am-user-alias-list, iplanet-am-user-auth-config, iplanet-am-user-failure-url, iplanet-am-user-login-status, iplanet-am-user-password-reset-force-reset, iplanet-am-user-password-reset-options, iplanet-am-user-password-reset-question-answer, iplanet-am-user-success-url

• sunAMAuthInvalidAttemptsData

• sunIdentityServerDeviceKeyValue, sunIdentityServerDeviceStatus, sunIdentityServerDeviceType, sunIdentityServerDeviceVersion, sunxmlkeyvalue

• sunIdentityServerPPFacadeNamePronounced, sunIdentityServerPPSignKey, sunIdentityServerPPDemographicsBirthday, sunIdentityServerPPCommonNameFN, sunIdentityServerPPDemographicsDisplayLanguage, sunIdentityServerPPCommonNameMN, sunIdentityServerPPLegalIdentityAltIDType, sunIdentityServerPPCommonNameAltCN, sunIdentityServerPPAddressCard, sunIdentityServerPPLegalIdentityAltIDValue, sunIdentityServerPPLegalIdentityMaritalStatus, sunIdentityServerPPLegalIdentityDOB, sunIdentityServerPPLegalIdentityVATIDValue, sunIdentityServerPPEncryptKey, sunIdentityServerPPMsgContact, sunIdentityServerPPDemographicsTimeZone, sunIdentityServerPPCommonNamePT, sunIdentityServerPPLegalIdentityGender, sunIdentityServerPPLegalIdentityVATIDType, sunIdentityServerPPDemographicsAge, sunIdentityServerPPFacadeGreetSound, sunIdentityServerPPEmploymentIdentityOrg, sunIdentityServerPPEmergencyContact, sunIdentityServerPPDemographicsLanguage, sunIdentityServerPPFacadeMugShot, sunIdentityServerPPFacadeGreetMeSound, sunIdentityServerPPFacadeWebSite, sunIdentityServerPPCommonNameCN, sunIdentityServerPPCommonNameSN, sunIdentityServerPPInformalName, sunIdentityServerPPEmploymentIdentityJobTitle, sunIdentityServerPPLegalIdentityLegalName, sunIdentityServerPPEmploymentIdentityAltO

User Status Attribute: userAccountControl — Attribute to check to determine if a user is active or inactive. When a user is created, the default user's active or inactive status is assigned based on the value in this field:

• User Status Active Value: 544

• User Status Inactive Value: 546

LDAP Groups Search Attribute: cn — Naming attribute of a group. This attribute name will be used to construct the group's dn and search filter.

LDAP Groups Search Filter: (objectclass=group) — Filter employed when doing a search for groups. The LDAP Groups Search Attribute will be prepended to this field to form the actual group search filter.

LDAP Groups Container Naming Attribute: cn — Naming attribute for a group container if groups resides in a container; otherwise, leave it blank.

LDAP Groups Container Value: users — Value for the group container.

LDAP Groups Object Class: objectclasses for group. When a group is created, this list of group object classes will be added to the group's attributes list. Enter the following object classes (names are not case sensitive):

• group

• top

LDAP Groups Attributes: Definitive list of attributes associated with a group. Any attempt to read or write group attributes that are not on this list is not allowed. Therefore, you should enter all possible attributes. Enter the following attributes (names are not case sensitive):

• objectClass

• sAMAccountName

• distinguishedName

• member

• objectCategory

• dn

• cn

• sAMAccountType

• name

Attribute Name for Group Membership: memberOf — Name of the attribute whose values are the names of all the groups that this dn belongs to.

Attribute Name of Unique Member: member — Attribute name whose value is a dn belonging to this group.

Attribute Name of Group Member URL: memberUrl — Name of the attribute whose value is an LDAP URL that resolves to members belonging to this group.

LDAP People Container Naming Attribute: cn — Naming attribute of people container if user resides in a people container.

LDAP People Container Value: users

LDAP Agents Search Attribute: cn — Naming attribute of an agent. This attribute name will be used to construct the agent's dn and search filter.

LDAP Agents Container Naming Attribute: cn — Naming attribute of agent container if agent resides in an agent container.

LDAP Agents Container Value: users — Value of the agent container.

LDAP Agents Search Filter: (objectClass=sunIdentityServerDevice)— Filter employed when searching for an agent.

LDAP Agents Object Class: ojectclasses for agents. When an agent is created, this list of user object classes will be added to the agent's attributes list. Enter the following object classes (names are not case sensitive):

• person

• organizationalPerson

• sunIdentityServerDevice

• top

LDAP Agents Attributes: Definitive list of attributes associated with a user. Any attempt to read or write user attributes that are not on this list is not allowed. Enter the following attributes (names are not case sensitive):

• cn

• dn

• name

• objectClass

• userPassword

• sunIdentityServerDeviceVersion

• sunIdentityServerDeviceType

• sunIdentityServerDeviceKeyValue

• sunIdentityServerDeviceStatus

• sunxmlkeyvalue

• description

Persistent Search Base DN: DC=example,DC=com — Base DN to use for a persistent search. For Active Directory, this needs to be the root suffix.

Persistent Search Maximum Idle Time Before Restart: Restart the persistence search if it has been idle for this maximum allowed time. Default value is OK.

Maximum Number of Retries After Error Codes: Number of times to retry the persistent search operation if it encounters the error codes specified in LDAP Exception Error Codes to Retry On. Default value is OK.

Delay Time Between Retries: Time to wait before each retry. Applies only to a persistent search connection. Default value is OK.

LDAP Exception Error Codes to Retry On: Retry the persistent search operations if these errors are encountered. Default value is OK.

Operational Notes

The above configuration will allow you to list users and groups. It will also allow you to perform some basic user profile operations. You should be able to change the following user profile information in the Access Manager Console:

• emailaddress

• employeeNumber

• telephonenumber — Active Directory will add it.

• postalAddress — Home address in the Console. Active Directory will add it.

• user alias list

However, you cannot do the following operations because of missing attributes or object classes:

• Cannot create firstname, lastname, fullname.

• Cannot create a group.

• Cannot change the user authentication (iplanet-am-user-auth-config). No attribute exists.

• Cannot change the user status (inetUserStatus). No attribute exists.

• Cannot change the success URL (iplanet-am-user-success-url). No attribute exists.

• Cannot change the failure URL (iplanet-am-user-failure-url). No attribute exists.

• Cannot change the MSISDN number (sunIdentityMSISDNNumber). No attribute exists.

• Cannot create a user or agent in Access Manager Console. The user must be created in Active Directory.

• Cannot change the user or agent password. This change must be done in Active Directory.

Configuring an Authentication Module to Login Through Active Directory

To Configure an Authentication Module to Login Through Active Directory

1. In the Access Manager 7.1 Administration Console, click realm for which you want to add the new authentication chain.

2. Click the Authentication tab.

3. Create a new module instance with the following data:

   • Primary Active Directory server: ADServer:ADServerPort

   • DN to Start User Search: dc=example,dc=com

   • DN for Root User Bind: cn=Administrator,cn=users,dc=RootUser,dc=com

   • Password for Root User Bind: AdministratorPassword

   • Attribute Used to Retrieve User Profile: sAMAccountName

   • Attributes Used to Search for a User to be Authenticated: sAMAccountName

   • Search Scope: SUBTREE

4. Create a new Authentication chaining instance:

   1. Add a new instance for the authentication instance created in the previous step.

   2. Set the criteria to Sufficient.

5. Change Default Authentication Chain to the new authentication chain you just created.

6. Click Save.

Next Steps

To login using Active Directory for authentication, specify the following URL:

http://YourAccessManagerServer:port/amserver/UI/login?org=YourRealmName